This is listed in the Access Gateway Administrators document, but it’s buried deep, so here’s my own version.

Many implementations of the Citrix Access Gateway appliance will be replacing existing installations of Citrix Secure Gateway usually running on a Windows server. To migrate the certificate from Windows to the appliance follow these steps:

  1. Download the Win32 version of OpenSSL from SourceForge
  2. Extract the package to a folder e.g. C:\OPENSSL
  3. Export the certificate including the private key from the Windows server in PKCS12 format. This will require creating a password to protect the private key
  4. Convert the certifcate to PEM format using OpenSLL with the following command:c:\openssl\bin\openssl pkcs12 -in .pfx -out .pem -nodes</font>
  5. You will be prompted for the password for the certificate
  6. Enter the password and the certificate will be converted to PEM format
  7. Upload the certificate to the Access Gateway

Either delete both certificate files or keep them in a secure location.

Also see the following Citrix article on this process:

Convert PFX Certificate to PEM Format for Use with Citrix Access Gateway